What would you run with WSA Essentials and Sandboxie?

Discussion in 'other anti-malware software' started by justenough, Apr 8, 2012.

Thread Status:
Not open for further replies.
  1. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You do know that I'm a Sandboxie user. I use it less and less, though. But, anyway... :D Considering that Google Chrome is used by millions of users, is actually a pretty good view, isn't it? :) And, any bypass/break happening, is actually a chance for Google to improve its already great sandbox. :)

    On the other hand, I've seen, including in this same forum, many make the claim that they tests lots of malware samples against Sandboxie, and none managed to break out.
    Well, that's all peachy... but, what's the real % of malware samples that were actually developed, having as their target Sandboxie? I'd say 0% of them.

    And, as Kees1958 mentioned, Sandboxie has been bypassed in the past...

    Anyway, as Kees1958, I do hope that Sandboxie gets the needed change.
     
  2. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,969
    Location:
    Nicaragua
    Nothing.

    Bo
     
  3. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,549
    About this paragraph, tzuk said this at the Sandboxie forum: "The statement you quote is no longer true. You can use Process Explorer to see that the security context of Chrome processes is the same whether running inside or outside the sandbox."

    So I am back where I was when I started the thread, using Sandboxie, WSA-E and Chrome, with Kees1958 suggestions for setting up WSA-E. This might be my favorite security setup ever. What would make it better? Bo gets right to the point: "Nothing."
     
  4. chris1341

    chris1341 Guest

    Interested to know what that means. Does it mean SBIE now recognises and replicates Chrome's low integrity flag inside the sandbox or not? Does security context mean the same thing? I don't see it in Process Explorer but realise that can sometimes be misleading.

    Regardless I'll continue to sandbox browsers, including Chromium based variants. Properly configured SBIE makes up for any loss associated with diluting the Chrome sandbox through raising integrity levels IMO.

    Exactly!

    NB - reading SSJ100's comments on the SBIE forum in the thread you reference where he rants about 'self-proclaimed experts' made me laugh. This from a guy who has his own forum giving out advice! - 'Oh wad some power the giftie gie us, To see oursel's as others see us!' :D
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    That seems to be the case! I downloaded the most recent stable version, and then ran it in a sandbox, and according to Process Explorer, the renderer processes do run at low integrity level. :thumb:

    Adobe Reader X, also seems to run at low integrity level, as well. I monitored it sometiem ago, and according to Process Explorer, sometimes it would get a low, and other times it would get a medium. But, it seems to always be at low integrity level now. :) :thumb:

    Can anyone test Internet Explorer 9? :)

    -edit-

    So, at least in what comes to Google Chrome and Adobe Reader X (I don't know about Internet Explorer), we have two sandboxes. :thumb: But, one problem still remains - Sandboxie lacks ASLR support, and it does inject a dll into chrome.exe, to run it in the sandbox. Hopefully, this will happen too - supporting ASLR.

    -edit 2-

    Can anyone give it a run with Firefox and this version of Adobe Flash Player -http://labs.adobe.com/downloads/flashplayer11-3.html (This version runs in a sandbox. I'm wondering if Sandboxie breaks it? If it does, this means that Sandboxie doesn't truly mirror integrity levels into the sandboxes, it just works with those of Google Chrome and Adobe Reader X (perhaps also Internet Explorer 9))
     
    Last edited: Apr 11, 2012
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I did a small test. This is actually something I noticed happening last year. I got my Downloads folder @ a low integrity level. Any file I have there inherits the low integrity level.

    I downloaded a zip file, and saved it there. I checked the integrity level, and of course it inherited the low integrity level.
    Then, I opened the zip file with 7-zip, which is being forced to run in a sandbox. I extracted the contents of the zip file, which is an *.exe and *.txt file, and the files have now a default medium integrity level.

    So, Sandboxie still doesn't mirror integrity levels into the sandboxes. It just works with Adobe Reader X and Google Chrome's sandboxes (maybe also with IE9's Protected Mode?), but that's it. Other than that, it still effectively breaks Windows Vista and Windows 7 MIC.
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yeah, congratulations on Tzuk and Sandboxie. IMO this raised the bar for malware to come through (dealing with low rights, SBIE and UAC)

    compliments :thumb: :thumb: :thumb:
     

    Attached Files:

  8. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,679
    Location:
    USA
    Bo knows. :cool:
     
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Well, he still needs to support ASLR, and to actually globally mirror the integrity levels in the sandboxes. But yes, this is very welcome.
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Apparently, Adobe Reader X Protected Mode no longer works in Sandboxie. Both the latest stable version, and the most recent beta version.

    I did recently install the latest Adobe Reader X version.

    -edit-

    I also tested in a Default sandbox. Same result.
     

    Attached Files:

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.